Mails being received, the to, from and subject headers are missing
Problem reported by Debby Coutinho - 6/5/2019 at 7:16 AM
We are having a weird issue on one of our mail servers, this has been running for 4 or 5 years now, but since last week we started having an issue where client started reporting they were receiving mails that there was no info, ie to, from, subject etc. Investigating this it seems as if the headers are all removed from the mail, the tracking headers are also removed and only the last delivering servers info is in the mail. We assumed it might be our antispam or declude or spamassassin doing this, where we disabled these completely and the issue still persists, it seemed it is related to mails coming from mimecast servers only and have reported a call with them as well. 

Whilst we are waiting I decided to stop the spool for 10 minutes at a time, I then copied the mails to another folder and then started the spool again to let the mails be delivered. Now the issue is seen maybe 1 mail in 150 mails received. I managed to collect 4 of these mails, and they all looked like the were delivered to us with the headers missing, I eventually got 1 mail where it displayed in the mailbox as headers all gone, but in searching the folder i got the email and in the received email all the headers etc are there. This now tells me it is our server doing this. I dropped this same mail into the drop folder and then the mail delivers to the mailbox with all the info in the mail. 

So it seems that this is to do with the actual smartemail server itself. I have reinstalled the software and this has not resolved the issue. I have tried stopping all the antispam and antivirus on the server and this has not resolved the issues.  I thought this was specific to this server, but now I see on our quieter servers there are a few of these mails as well, our other servers are on older software 12.5 being used as spool servers, and the main servers are v15. I know this is older software, but why all of a sudden would this issue start over the past 7 days only..

I am at my wits length now not knowing if this is indeed our server or maybe still an issue with the delivery of the mails, anyone having similar or had similar issues like this ?

7 Replies

Reply to Thread
Liam Dwyer Replied
We are also experiencing this issue with "some" emails originating from Mimecast servers.  It is hit and miss and the same Mimecast server might deliver 10 mails fine, and then 3 or 4 will be missing the headers.

I stopped the spool and was able to successfully capture some failed messages. and have pasted them below.  These are the RAW eml files that appear in the spool folder.  (Confidential data removed).  As you can see most of the normal headers are missing, and all but the last "Received:" headers are missing as well.

Return-Path: <###@##.com>
Received: from eu-smtp-delivery-185.mimecast.com (eu-smtp-delivery-185.mimecast.com []) by ##.##.## with SMTP;
   Tue, 4 Jun 2019 16:50:16 -0400
Content-Type: multipart/alternative;

Return-Path: <##@##.com>
Received: from us-smtp-delivery-181.mimecast.com (us-smtp-delivery-181.mimecast.com []) by ##.##.## with SMTP;
   Wed, 5 Jun 2019 10:51:02 -0400
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable

There does not seem to be any pattern to which messages fail or any pattern with originating domains.  This just started happening the last week or so.  We are on SmarterMail Enterprise Build 7068 (May 9, 2019).  This server has been running fine for several years and we updated shortly after this version was released.

Kyle Kerst Replied
Employee Post
Hello everyone. We have received misc reports of similar behavior, and through deeper investigation we were able to confirm the messages are being handed off without a from address and other pertinent details. As such, I recommend submitting a support ticket with Mimecast to have them perform the relevant diagnostics. If you require further assistance with this after speaking with them I strongly suggest submitting a support ticket so we can look into this further. 

If possible, please provide the Delivery/SMTP session logs associated with the failed messages, and collect Wireshark packet captures of these same sessions as these should help confirm the missing header information during handoff. 
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
Rolf Jacobs Replied

I have (2) separate installations reporting the same behavior.
Seems to be hit and miss...  Sometimes messages pass through OK, other times they are stripped down...

Starter a week or so ago...  I have read some very recent comments from folks with similar behavior and the first suggestion I tried was turning OFF all SPAM checking.  Seemed to help some but not completely.  This is obviously only a temp solution to try and figure out the source.

Was about to try another suggestion turning off CLAMAV but came across this thread first.

Tried your suggestion of contacting Mimecast directly by phone but learned pretty quickly that they are not going to take a phone call or accept a trouble ticket from a NON-Customer...  So not sure how to submit a ticket with them.

Doesn't it make more sense for Smartmail to contact them and explain that something they are doing or have recently changed is affecting your customers...

Before seeing this thread I just assumed this was some basic ransomware method Smartermail was using to force old customers to re-buy the latest version...  No proof of that of course, just a coincidence I suppose...  Not objecting to the practice if that's part of it...  Better ways to go about it, if it is, to get the same result....

I am a firm believer of "if it ain't broke" However, since it had been a while and Smartmail has been fairly robust for going on 14 years, I didn't have a problem paying up at one of our locations to see if it fixes the problem..

Copied my mail VM last night, un-installed 14.5 and then installed the 7090 build.  Didn't go perfectly smooth. Only have two domains, one Primary with 277Gig of mail and appx 60 users and a small unimportant domain with 20gig and 3 users.  The 3-user worked right out of the box but the primary domain failed..  After some quick work from Tony in Support (Him and Emily have both been great by the way)  he had us up in no time...

It's only been a couple hours so I cannot confirm if the upgrade resolved the stripping problem we (and others) are having but I will provide more feedback over the next day or so..

I am hesitant to spend another $500 something on the second location if Smartermail's suggestion is to suggest all of our customers contact Mimecast...  That is not likely to happen...

Come on Kyle,  There has to be something more that can be done...

Sébastien Riccio Replied
Rolf, I don't see how this would be a strategy from Smartermail to force an upgrade. For this to happen you would need to install an update that contain code to create this behavior.

On another hand if you google a bit mimecast and missing headers, you can see people with other mailservers having same issue with mimecast:

Not sure it's related but kind looks like your issue.

Sébastien Riccio
System & Network Admin

Kyle Kerst Replied
Employee Post
Unfortunately I was not able to get through to Mimecast support either due to not being a customer, as they require an account number for security reasons. I did see on the Spiceworks page though that Mimecast has escalated that user's ticket and so hopefully this will be resolved soon.
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
Jade D Replied
I can confirm that we have seen the exact issue across all of our smartermail servers and the common denominator is mimecast.

We've advised our clients to notify the sender who in turn needs to raise the issue with mimecast.
CTL Replied
pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                             for more information.
                            [URIs: outlook.com]
-0.0 NO_RELAYS              Informational: message was not relayed via SMTP
 1.2 MISSING_HEADERS        Missing To: header
 0.1 URI_HEX                URI: URI hostname has long hexadecimal sequence
 0.1 MISSING_MID            Missing Message-Id: header
 1.8 MISSING_SUBJECT        Missing Subject: header
 1.0 MISSING_FROM           Missing From: header
-0.0 NO_RECEIVED            Informational: message has no Received headers
 1.4 MISSING_DATE           Missing Date: header
 0.0 NO_HEADERS_MESSAGE     Message appears to be missing most RFC-822 headers

 Smartermail support team have a look serious issue  missing header leads major mail went to spam folder  like hotmail & Gmail

Server Build 7242

Any one fix the issue then let me know ?

Received: from SN1NAM04HT109.eop-NAM04.prod.protection.outlook.com (2603:10b6:4:16::28) by DM6PR20MB2890.namprd20.prod.outlook.com with HTTPS via DM5PR2001CA0018.NAMPRD20.PROD.OUTLOOK.COM; Tue, 10 Dec 2019 15:37:57 +0000 Received: from SN1NAM04FT055.eop-NAM04.prod.protection.outlook.com ( by SN1NAM04HT109.eop-NAM04.prod.protection.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.18; Tue, 10 Dec 2019 15:37:57 +0000 Authentication-Results: spf=pass (sender IP is smtp.mailfrom=domain.com; msn.com; dkim=pass (signature was verified) header.d=domain.com;msn.com; dmarc=pass action=none header.from=domain.com; Received-SPF: Pass (protection.outlook.com: domain of domain.com designates as permitted sender) receiver=protection.outlook.com; client-ip=; helo=ip-hostname.com; Received: from hostname.com ( by SN1NAM04FT055.mail.protection.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2495.18 via Frontend Transport; Tue, 10 Dec 2019 15:37:55 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:16A32B0AD31D936B2C291A8A1588233F530479D71E65E6EA7E5C46DB530E66A6;UpperCasedChecksum:5D230915B8CAE4A3127B63A81AB1FACA48B87D2B99BA53067919801849AC36BE;SizeAsReceived:1120;Count:11 X-SmarterMail-Authenticated-As: binesh@domain.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain.com; s=secure; h=content-type:mime-version:message-id:reply-to:date:subject:to :from; bh=TE2EDjIuFNmDS5BEW6/RHy/dpi+BUZaN3wH/505TvN0=; b=lbFVmayz2/BKyYqyTaJvtqHmrTYiEFj4zP+Qko8M0x3hQC4NRwOEiDjKXu52ZvtSc ozc4LyTCsCe1Ro7oeHPWjBn6c8Zra1esljPgf6iGYZHesMQ3j1xnSPx5IwJRA78qJ oqVfiN0FrkQFDO+n+PTggZT72En2ukWaRNNzsr+LMqIzBLX9qZ04CUUYjyEWdZ4rq AMLOoWA+4jW7wJ1S+zINxkmS1ENQymvCaiojEvIPNtmmZK5O0bRX4Ebs+CQZGWuBS CFIm/WruD2GsccCO7LDv7o7U582N23LkBvTWMgJb3quch+nJmxMX9Wb8rzYzZudie 36PT5gIKBf10e12lQ== From: "Binesh Shamunni" To: Subject: Hotmail Date: Tue, 10 Dec 2019 15:37:47 GMT Reply-To: binesh@domain.com Message-ID: Content-Type: multipart/alternative; boundary=46d27dbef45b4ecb908302ef7d881e73 X-Exim-Id: d01192b8d6de4111a92a1dd3b1c219d8 X-IncomingHeaderCount: 11 Return-Path: binesh@domain.com X-MS-Exchange-Organization-ExpirationStartTime: 10 Dec 2019 15:37:56.8257 (UTC) X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000 X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit X-MS-Exchange-Organization-Network-Message-Id: 9dcbeebe-50ba-4059-a2ac-08d77d86edff X-EOPAttributedMessage: 0 X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0 X-MS-Exchange-Organization-MessageDirectionality: Incoming X-Forefront-Antispam-Report: EFV:NLI; X-MS-Exchange-Organization-AuthSource: SN1NAM04FT055.eop-NAM04.prod.protection.outlook.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-PublicTrafficType: Email X-MS-UserLastLogonTime: 12/10/2019 3:35:45 PM X-MS-Office365-Filtering-Correlation-Id: 9dcbeebe-50ba-4059-a2ac-08d77d86edff X-MS-TrafficTypeDiagnostic: SN1NAM04HT109: X-MS-Exchange-EOPDirect: true X-Sender-IP: X-SID-PRA: BINESH@domain.COM X-SID-Result: PASS X-MS-Exchange-Organization-PCL: 2 X-Microsoft-Antispam: BCL:0; X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Dec 2019 15:37:55.5587 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 9dcbeebe-50ba-4059-a2ac-08d77d86edff X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1NAM04HT109 X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.9941850 X-MS-Exchange-Processed-By-BccFoldering: 15.20.2516.000 X-Microsoft-Antispam-Mailbox-Delivery: abwl:0;wl:1;pcwl:1;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;OFR:TrustedSenderList;ENG:(5062000261)(5061607266)(5061608174)(4900115)(4920090)(6510075)(4950130)(570107); X-Message-Info: 5vMbyqxGkddoCPm6T3bgzztAhmb7fP34GMjTzHoJs9ZCkKYuUHodCmM1q9xE0krzbJYC8rEnkoA/Flro03Pb1MW1mzcFDWWCVXdGiXmjMtLtwDN9n2CkvOcgm5v4HKdD1MRMHz75cbmfKLJ64pmSKwlIWzvXTxX3jIkIaW1oR35tMjpICfezwbB95qYOVP8aLBAPZGZn/mZ4GVFxekWiEw== X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0yO1NDTD0tMQ== X-Microsoft-Antispam-Message-Info: kEq1COIFOUGLrm2cKRwnzqP7ZkFdtKVnU2KHTwJU4cmnBGOyVbWALBis8I2SVy0961XqM4rGPZztuWo6mFJHXJFQMMJzkrlt5w91LYjW5aaU6rYx9lgItv/jvRcaWsq/tdyNjbM6pq+O3I3ukKuIx19ytJFjtl2brVl4EaNPuYr9RVqUCqA7rvPQ71/XhdSfhls80tpShfJfCHDGeCU/OtZec792LLiLIFyZvdSP4n1N9R19kNrzPQQaNWTUQvhCsylj0Yiy/WkWaUOEoIgPzpPhGu778n3HflA1GZ8TOv0G8cq5AN3nlw006dqJSrp4W4B1tjY3PIjgE8IWa/JGPKORkcfdt67bMWyhQbybm1tNvKjhwXHEAU/VuFNCNr3dSgJw1DHZ5Q29YadjAF9YN2fzAuyLVfC28zcK7Vkl47KuuAf8J2MdirI5KSmL5orXgVJ3JykIBklC0GovIlzjXYk6j77uM6/uMs0Z84AjB8sBc6R3NXOu19GdQKQzRDcWxffjj3Ovdr+ZMn5XUcyeC9tRzEdmnukylClYvRfVjSuJJ5e/WnUxRJLvUH8crzD1SiahGfZUyFjHe8A+fSHEYMpRToXFVgyG/eQZWsxbGnJP6/rSTzgBQHby5vQ8vQh2hdJFl8uG/Dcv07gGp+sF3PtCDAuwuzCoEAhJrfG48tTo4B/pgJBjcJkQlWR157hmtWnqRTS3pHcV6FC30p3G32JUFK3ZQHAaqbHa1ta60fbr1f/I1unTwiXl1Tp2aXxGdm3CdhbJXgfjOEwllWubFuO1L9ux6Jp+OlkifzDolpkNNV5+iorY7Y3DwzzpQLtLAx3BHYHUOrLBIbY7Nsc0jA== MIME-Version: 1.0

Reply to Thread